From: William Knowles (wkC4I.ORG)
Date: Tue May 02 2000 - 15:56:40 CDT

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

http://news.cnet.com/news/0-1005-200-1772642.html?tag=st.ne.1002.bgif.1005-200-1772642

By Paul Festa
Staff Writer, CNET News.com
April 27, 2000, 12:30 p.m. PT

Microsoft has patched a Hotmail bug that left users of the Web-based
email service vulnerable to a password-stealing trick.

The exploit was the latest in a series devised by bug hunters using
JavaScript to launch fraudulent password entry screens to trick people
into handing over control of their accounts.

JavaScript is a Web scripting language designed to take actions on a
Web site visitor's computer, such as launching a new window or
scrolling text across the screen, without the visitor's interaction.
After the first few password-stealing schemes came to light, Hotmail
and other Web email providers decided to filter JavaScript from
incoming messages.

But bug hunters have kept themselves busy finding ways to sneak the
code around Hotmail's filters.

In the example addressed by Hotmail this week, Bulgarian bug hunter
Georgi Guninski demonstrated a way to inject JavaScript through a
style tag. The exploit worked only with Microsoft's Internet Explorer
browser.

In response to news of the bug, Microsoft this week patched the
Hotmail servers.

*-------------------------------------------------*
"Communications without intelligence is noise;
Intelligence without communications is irrelevant."
Gen. Alfred. M. Gray, USMC
---------------------------------------------------
C4I Secure Solutions http://www.c4i.org
*-------------------------------------------------*

ISN is sponsored by SecurityFocus.com
---
To unsubscribe email LISTSERVSecurityFocus.com with a message body of
"SIGNOFF ISN".

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]